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Remarks 

The prestait amendment responds to the Official Action dated April 22, 2004. The 
Official Action rejected claims MO and 12-14 under 35 U.S.C. § 103(a) based on Wesinger. Jr. 
ct al. U.S. Patent No. 6,052,788 (Wesingcr) in view of Rcid et al. U.S. Patent No. 6,1 82,226 
(Reid). Claim 1 1 was rejected under 35 U.S.C. § 103(a) based on Wesinger and Reid and further 
in view of Bechtolsheim et al. U.S. Patent No. 6,515,963 (Bechtolsheim). These grounds of 
rejection arc addressed below following a brief discussion ofthe present invention to provide 
context. 

Claim I has been amended to modify the lenn "datagram" with the term "connectionless" 
in the discarding step to be consistent with the previous usage in the determining step ofthe 
claim. Claims 1-14 are presently pending. 



The Present Invention 

The present invention recognizes that tlie consequences of intentional datagram flooding 
attacks and unintentional overload situations rcsuhing from a burst of connectionless datagrams 
can be mitigated by dropping the tradititmal notion of attempting to distinguish between 
legitimate and illegitimate traffic. In the present invention, both legitimate and illegitimate 
datagram traffic is subject to a common p<ilicy that attempts to guarantee that legitimate work 
will be performed and a server will not crash in flooding situations, irrespective of whether the 
flooding is caused by legitimate or illegitimate datagram traffic. The present invention helps to 
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prevent a server from crashing due to overioad and it prevents one or more attackers from 
consuming all resources on a network server. 

According to the present invention, in response to the arrival of a datagram destined for a 
specified port on a network server, the transmitting host is identified from the datagram and the 
number of datagrams already queued tor the same host and ft)r the same port is determined. If 
this number exceeds a prescribed threshold, the datagram is discarded. 

The prescribed threshold is dynamically dctemiincd in a presently preferred embodiment. 
The owner ol thc network server specifics for each port that is subject to datagram flooding a- 
maximum number of queued datagrams (M) allowed at any time to the port and a controlling 
percentage (P) of available queue slots remaining for the port. The present invention keeps track 
of the number ( A) of queued datagrams for the port and it calculates the number of available 
queue slots (I) by subtracting the number of queued datagrams from the maximum number of 
datagrams (1 = M - A). If the number of datagrams already queued for the transmitting host is 
equal to or greater than P times the number of queue slots left (M > P*l), then the present 
datagram is not queued for the port. CHherwisc, the datagram is queued and die number of 
queued datagrams (A) for the port is incremented by one. 



The Art Rejections 

As addressed in greater detail below, Wesinger, Rcid, and Bcchtolshcim do not support 
the Official Action's reading of them and the rejections based therevqKin should be reconsidered 
and withdrawn. Further, the Applicant does not acquiesce in tlie analysis of the relied upon art 
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mude by the Official Action and respectfully traverses the Official Action's analysis underlying 

ils rejections. 

Claims 1-10 and 12-14 were rejected under 35 U.S.C § 103(a) based on Wcsingcr in 
view of Reid. Wesinger describes a firewall which employs envoys which combine the security 
robustness described in prior-art proxies and the transparency and ease-of-use of prior-art packet 
filters. Wesinger, Abstract. To achieve fall transparency, the firewall is configured as two or 
more sets of virtual hosts. One set of hosts responds to addresses on a first network interlace of 
the fiiewall. Another set of hosts responds to addresses on a second network interface of the 
firewall. Before traffic can pass through the firewaU, an envoy must be established for that 
traffic. Wesinger, col. 3, lines 60-62. 

As described at col. 13, lines 27-48, authentication rules checking is perfonncd on a first 
data packet to be sent from a first computer to a second computer, if the result ol" this rules 
checking is to allow the first packet to be sent, a time-<iut limit associated with communications 
between the first computer and the second computer via UDP is established, and the first packet 
is sent from one of the virtual hosts to the second computer on behalf of the first computer. 
Thereafter, for so long as the time-out limit has not expired, subsequent packets between the first 
computer and the second computer arc checked and sent. After the timeniut limit has expired, 
the virtual host may be remapped to a different network address to handle a different connection. 
Typical authentication rules include restricting access to a known secure host, and requiring 
usemame/password authentication. By allowing traflic to pass before expiration of a timer. 
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Wesinger's envoy handles connectionless traffic in a totally dirfcrent manner than the present 

invention. 

In contrast, the present invention addresses a method for defending against network 
flooding attacks of connectionless dutagrams. In particular, the method determines, in response 
to the arrival of a connectionless dalagram from a host for a port on a netwoilc server, if the 
number of connectionless datagrtrais already queued to the port from the host exceeds a 
prescribed threshold. If so, the method discards the connectionless datagram which 
advantageously prevents a particular host from flooding a particular port. If the number of 
connectionless datagrams already qucueil to the port from the host does not exceed the prescribed 
treshold, the connectionless datagram is queued to a queue slot of the port. Claim 1 . as presently 

amended, reads as follows: 

I . A method of preventing a flooding attack on a network server in 
which a large number of connectionless datagrams are received for queuing to a 
port on the network server, comprising: 

determining, in response to tlie arrival of a comiectionless datagram horn a 
host for a port on the network server, if the mmiber orcomiectionless datagrMPi? 
alrcadv uueut^d to the port from the ho st exceeds a pi^stiTthcd threshold: 

^j^rarHin ff the connectionless datag ?-am. if the number of connectionless 
data ^ams alreti^v queued t(? the port from the host exceeds the prescribed 
threshold: and 

queuing the ctmnectionless datagram to a queue slot of the p()rt, if the 
number of connectionless datagrams already queued to the port from the host does 
not exceed the prescribed threshold, (emphasis added) 

Wesingcr does not teach and does not suggest "determining, in response to the arrival of a 
connectionless datagram from a host for a port on the network server, if the number of 
connectionless datagrams already queued to the port from the host exceeds a prescribed 
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threshold," as presently claimed. Further. Wcsinger does nol leach and does not suggest 
"discatding the connectionless datagram, if the number of ainnectionless datagrams already 
queued to the port from the host exceeds the prescribed threshold." as presently claimed. 
Wcsinger merely provides authentication rules in combination with a timer to allow traffic to 

pass through the firewall. 

The Official Action relies on the text found at col. 14, lines 220 1 . col. 14, lines 36-37, 
and col. 7, lines 1-4 of Wesinger as purportedly suggesting the detcmiining, discarding, and 
queuing steps in claim 1 . Applicants respectfiilly disagree. These relied upon portions of text 
address connection oriented protocols and not connectionless datagrams as claimed. It should be 
noted that the disclosure at col. 13. lines 27-48 of Wesinger which is discussed above addresses 
Wesinger's approach to connectionless datagrams. That approach is clearly ditlcrcnt than that 
which is presently claimed. 

Reid fails to cure the deficiencies of Wesinger as a reference. Rcid describes a firewall 
used to achieve network separation within a computing system having a plurality of network 
interfaces. A plurality of regions is defined witiiin the firewall and a set of pohcies is configured 
for each of the plurality of regions where each nct\york interface is assigned to only one region. 
Rcid. Abstract and wl. I lines 64-65. Reid's firewall restricts communication to and flrom each 
of the plurality of network interfaces in accordance with the set of policies configured for the 
region assigned to the network interfaces carrying tlie communication. Reid, col. I, line 67 - col. 
2. line 4. To program the set of policies, Rcid utilizes an access control language. Such access 
control language aUows policies to restrict access to communication by utilizing criteria such as 
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source and destination region, usere and ijroups, load balancing, and maximum number of 
concurrent sessions. Reid. col. 7 lines 39-58. These varied criteria of Rcid do not make obvious 
the presently claimed approaches of preventing a flooding attack on a network server. 

The Official Action apparently relies on Reid solely for the end result of "a method of 
preventing a Hooding attack on a network server." Although Reid's disclosure states that its 
system is designed to defend against known network penetration and denial of service attacks 
such as a SYN floi>d attack, Reid's specific approach of programming policies to specific 
network regions utilizing access rules to limit communication access is quite different than the 
present invention. Reid's disclosure is silent with respect to specific steps to defend against such 
an attack. 

Combining Reid and Wesingcr as the Official Action suggests would still fall short of 
meeting the presently claimed features. Reid and Wcsinger, separately or in combination, do not 
teach and do not suggest "determining, in response to the arrival of a connectionless datagram 
from a host for a port on the network server, if the number of connectionless datagrams already 
queued t(» the port fmm the host exceeds a prescribed threshold," as presently claimed in claim 1 . 
Reid and Wesinger, separately or in combination, do not teach and do not suggest "discarding the 
connectionless datagram, if the number of connectionless datagrams already queued to tlie port 
from the host exceeds the prescribed tlu^shold," as presently claimed. Sec also claims 3, 5, and 
7. 

Dependent claim 1 1 wa.s rejected under 35 U.S.C. § 103(a) based on Wefdnger and Reid 
and further in view of Bechtolsheim. Bcchtolsheim fails to cure tlic deficiencies of Wesinger and 
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Reid. Since claim 1 1 depends from and contains all the lunitations of claim 1 as presently 
amended, claim 1 1 distinguishes from the references in the same manner as claim 1, 

Conclusion 

All of the presently pending claims, as amended, appearing to define over the applied 
references, withdrawal of the present rejection and prompt allowance are requested. 




Respectfully submitted, 



Jerry W. Hemdon 
Reg. No. 27,901 
IBM Coiporation 



T8 1/503, 3039 Comwallis Road 
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